Google has one of the older bug bounty programs in existence, and the company often makes changes to its rules in an effort to stay current with the security landscape. The latest change is another increase in the rewards that the company will pay to researchers who report certain bugs, including cross-site scripting in sensitive Web properties, to $7,500.
The changes to the top rewards are fairly significant, more than doubling the highest bounty available for certain bugs from $3,133.70 to $7,500. Specifically, Google is now offering the higher amount to researchers who find XSS vulnerabilities in https://accounts.google.com. That’s obviously a high-value target for attackers and Google is hoping that the increased reward will draw more attention to it from researchers, as well.
IN addition to the higher reward for the XSS vulnerabilities in the accounts page, Google also now is offering $5,000, up from $1,337, for the same type of flaws in Gmail and Google Wallet. Researchers who report what Google deems significant authentication bypasses or information leaks in the company’s Web properties also will receive $7,500.
“Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers. Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired. We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity. For example, one of our bug finders decided to support a school project in East Africa,” Google’s Michal Zalewski and Adam Mein said in a blog post.
“In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories.”
Google’s bug bounty program for its Chromium project began in early 2010 and the company followed that up several months later by expanding it to include Web properties such as Gmail, YouTube and others. Both programs have been quite successful, drawing thousands of submissions from researchers around the world. In the years since Google began its reward program, a number of other companies have followed suit, including Facebook, PayPal, Barracuda and others.
Image from Flickr photostream of Jason Taellious.